Currently (draft -16) client_id is listed as a required parameter for access token request to the token endpoint for all grant types except for extensions. In section 3 there is some disposition of the use of client_id as a means of identification and then, in 3.2, a requirement that client authentication mechanisms must "define a mapping between the client identifier and the credentials used to authenticate."
Does this imply that, if client authentication is done at the token endpoint for any extension grant, that the client_id parameter is also required? If so, perhaps it could be made more explicit somewhere in section 3 or section 5. I remember that there was some consensus a while back that client identification/authentication should be optional for the extensions, and that makes sense. But when authentication is done, it seems like it should be consistent with the way the other grants do it - that allows for implementations to have a cleaner separation between client authentication and grant processing. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
